Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run on localhost without additional authentication or network-level controls, this could potentially allow a malicious website-visited by a user running the server locally-to use DNS rebinding techniques to bypass same-origin policy restrictions and issue requests to the local MCP server. If successfully exploited, this could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the local user. This issue is limited to HTTP-based transport modes (StreamableHTTP). It does not affect servers using stdio transport. The practical risk is further reduced in deployments that use authentication, network-level access controls, or are not bound to localhost. This vulnerability is fixed in 1.7.0.
AnalysisAI
Apollo MCP Server versions prior to 1.7.0 fail to validate HTTP Host headers on StreamableHTTP transport, allowing unauthenticated remote attackers with user interaction to bypass same-origin policy via DNS rebinding attacks and invoke GraphQL tools or access resources on behalf of a local user. The vulnerability is limited to HTTP-based deployments without network-level controls and does not affect stdio transport configurations. Vendor-released patch: version 1.7.0.
Technical ContextAI
Apollo MCP Server implements the Model Context Protocol to expose GraphQL operations as tools via HTTP transport (StreamableHTTP). The vulnerability stems from insufficient Host header validation (CWE-346: Origin Validation Error), a classic server-side same-origin policy bypass mechanism. When a browser-based attacker controls a malicious website visited by a user running the local MCP server, DNS rebinding techniques can redirect domain name resolution to localhost, causing the victim's browser to issue authenticated HTTP requests to the local MCP server. Without Host header validation, the server treats these cross-origin requests as legitimate, allowing tool invocation and resource access. This attack vector is eliminated in stdio transport modes, which do not use HTTP, and is mitigated by authentication, reverse proxy validation, firewall rules, or binding to non-localhost interfaces. The CPE cpe:2.3:a:apollographql:apollo-mcp-server:*:*:*:*:*:*:*:* identifies all versions of the affected product prior to patching.
RemediationAI
Immediately upgrade Apollo MCP Server to version 1.7.0 or later, which includes Host header validation. For organizations unable to upgrade immediately, implement network-level mitigations: bind the HTTP server to a non-localhost interface only when necessary and restrict access via firewall rules, deploy the MCP server behind an authenticated reverse proxy that validates Host headers, or switch to stdio transport if compatible with your deployment architecture. As an interim measure, require authentication at the application level until patching is complete. Patches are referenced in pull requests #602 and #635 at https://github.com/apollographql/apollo-mcp-server/pull/602 and https://github.com/apollographql/apollo-mcp-server/pull/635.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21061